Blog

Researcher exposes VirtualBox zero-day vulnerability

A Russian security researcher fed up with the current state of infosec has published details about a zero-day vulnerability affecting Oracle’s popular virtual machine software VirtualBox without first informing the company.

Saint Petersburg-based researcher Sergey Zelenyuk discovered a chain of bugs that can allow malicious code to escape from a VirtualBox virtual machine and execute on the host operating system.

Once the code has escaped out of the VirtualBox VM, it runs in the OS’ limited userspace on kernel ring 3. However, Zelenyuk noted that attackers could make use of known private escalation bugs to gain kernel-level access on ring zero.

He provided more details on the text file detailing the zero-day vulnerability that he uploaded on GitHub to ZDNet, saying:

“The exploit is 100% reliable. It means it either works always or never because of mismatched binaries or other, more subtle reasons I didn’t account.”

Scope and severity of the vulnerability

According to Zelenyuk, the zero-day vulnerability affects all current VirtualBox releases and can be executed regardless of the host or guest operating system a user is running. It is also reliable against the default configuration of newly created VMs.

While the zero-day is not considered a threat to cloud hosting environments because they use a Type-1 hypervisor as opposed to the Type-2 hypervisor used by Virtual Box, security researchers are concerned because Oracle’s VM software is used regularly for malware analysis and reverse engineering.

Malware creators could embed the zero-day’s exploit chain inside malware strains with the intention that it would escape from VirtualBox VMs and infect researchers’ operating systems.

Security researcher at Tripwire, Craig Young provided further insight on the zero-day vulnerability, saying:

“The vulnerability is in the implementation of a virtual Intel E1000 compatible network adapter. The write-up demonstrates how an attacker with permissions to load Linux kernel modules in a Virtual Box guest environment can achieve low-privileged code execution on the host OS which can then be elevated to gain administrative access to the host. Anyone using Virtual Box for accessing untrusted content (malware analysts for example) should immediately review their machine profiles and at least temporarily discontinue use of the E1000 device in favor of the PCNET adapter. Users should avoid running any less than trustworthy applications in any Virtual Box environment with E1000 enabled until Oracle is able to release a fix.”